Raffael Marty writes:
I am doing some research on NetFlow and wanted to ask you guys a few things: How are you using NetFlow? For what purposes? Billing? Security?
Yes, both billing (and coarse-grained traffic analysis on our upstream and peering connections) and security (detection and localization of malicious traffic, trend analysis, "cyberepidemiology" research).
Do you have NetFlow enabled on all your routers?
In our setup we only use data from our border (peering) routers.
Do you enable it on all the interfaces or just on the external/internal interface?
We have it enabled in the ingress direction on all interfaces, so that we can count all traffic both inbound and outbound through the router. Also our current platform (with current software) cannot enable Netflow selectively.
Do you utilize any tool to stitch the NetFlows back together? Why would you do that?
In the part I'm responsible for (billing etc.), I don't try to match related unidirectional flows to bidirectional flows. Maybe for security applications this would be more useful. At any rate it's difficult in our network, because the two directions often go through different routers.
I guess you can tell that I was never exposed to NetFlow in the ISP world. Any answers or comments are really appreciated.
I maintain a page with pointers to Netflow-related software packages - maybe you find it useful:
http://www.switch.ch/tf-tant/floma/software.html